Mobile Threat Blog

Share

YouMi Vulnerability Harvests and Shares PII

Recently, researchers at SourceDNA identified an Apple iOS SDK (YouMi) that harvested PII (Personal Identifying Information) and shared it with remote servers. While many SDK’s used by developers often collect PII, what caught the attention of researchers was that YouMi successfully used evasive techniques (undocumented API calls) that went undetected by Apple’s app review process, allowing the app to collect PII without the need for user disclosure.

Appthority’s App Risk Management service already has policy checks in place that identify PII being collected and sent over the network, regardless of the techniques used to harvest the PII. However, since this SDK has been deemed as a violation of iTunes policy, we have also created a specific “YouMi SDK” behavior policy that can be used to create an App List in the Portal to identify apps and mobile devices in your enterprise environment that are infected with the YouMi SDK. A search of our global app database found a significant number of iOS Apps infected (551 unique apps) on our customers’ enterprise devices.

Recommendation

Appthority recommends using our portal to identify mobile devices and apps in your enterprise infected with the YouMi SDK and taking steps to remove them from those devices. We’ve provided a guide that steps through this process for Appthority customers.

Keep in mind that even though Apple has removed most of these apps off the iTunes stores, they may still reside on mobile devices as “dead apps” and still need to go through the removal process.